Responsible Disclosure Policy & Acknowledgement Policy for Security Bulletins

If you've read Microsoft Security Bulletins, you're no doubt familiar with the acknowledgment section that appears in most bulletins. In January 2000, Microsoft began following a new policy regarding acknowledgments in security bulletins. We would like to ensure that customers are familiar with the new policy and recognize the service that the acknowledged security professionals provide to the community.

Microsoft is committed to protecting customers' information, and the Microsoft Security Response Center is the most visible proof of this commitment. The MSRC investigates all reported security vulnerabilities in Microsoft products. When we find a vulnerability, we develop an update as quickly as possible and broadly disseminate information about the vulnerability, the risk it poses, and what customers can do to protect themselves against it.

However, to do this we need the help of the people who discover security vulnerabilities. No vendor can develop security updates overnight. Microsoft products run on thousands of different manufacturers' hardware, in millions of different configurations, and in conjunction with countless other applications. Our security updates must operate correctly on every single machine.

This is a significant engineering challenge under any conditions, but it is even more difficult when details of a vulnerability have been made public before an update can be developed. In such cases, speed must become our primary consideration, in order to protect our customers against malicious users who would exploit the vulnerability.

The responsibility for Microsoft's products rests with Microsoft alone, and we take that responsibility very seriously. However, there has traditionally been an unwritten rule among security professionals that the discoverer of a security vulnerability has an obligation to give the vendor an opportunity to correct the vulnerability before publicly disclosing it.

This serves everyone's best interests, by ensuring that customers receive comprehensive, high-quality updates for security vulnerabilities but are not exposed to malicious users while the update is being developed. After customers are protected, public discussion of the vulnerability is entirely in order, and helps the industry at large improve its products.

Many security professionals follow these practices, and Microsoft wants to single them out for special thanks. The acknowledgment section of our security bulletins is intended to do this. When you see a security professional acknowledged in a Microsoft Security Bulletin, it means that they reported the vulnerability to us confidentially, worked with us to develop the update, and helped us disseminate information about it after the threat was mitigated. They minimized the threat to customers everywhere by ensuring that Microsoft could fix the problem before malicious users even knew it existed.

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.